kadm5 API questions

Rick van Rein rick at openfortress.nl
Thu Mar 21 03:55:50 EDT 2019


I am programming to the kadm5 API, and a few things are not clear to me.
 Can anyone help?

There is some mention in the code about old and new GSS-API
authentication (kadmin options -O and -N to force).  What is the
difference, and is the new style still based on GSS-API?

IIRC, a property of GSS-API is that it will automatically
re-authenticate when a credential has expired.  Does this apply to the
old and new GSS-API mechanisms too?

Even if I have a krb5_context already, I seem to need a separate one for
kadm5 use.  Is this because the plain context is about local management,
and the kadm5 is more like a client-to-a-service context, possibly using
its own identity, addressing another realm, that sort of thing?

Is it true that kadmind can only serve one realm?  That would be
different from the KDC, and a bit of a surprise.  It increases the
burden of adding a new realm, especially when this is automated.

My KXOVER daemon identifies as kxover/public.  Do I need to have that
name in every realm it manages, or is it sufficient to have an ACL
setting permitting an identity from another realm adding and removing
principals through kadm5?  [inconsistent test results]

FWIW, the software I am working on is for automated realm crossover, and
(the module for MIT krb5) develops at

It is mostly a wrapper around the KDC, adding TCP/TLS and running a
DANE/X.509-protected key exchange over the connection.  Inside the KDC,
all that is required is a dynamic facility for host2realm mapping (like
a DNSSEC-protected lookup).


More information about the Kerberos mailing list